[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Routing Questions for DMZ/Internal LAN

Posted on 2006-05-25
19
Medium Priority
?
337 Views
Last Modified: 2011-10-03
Hi,

We have a new neighbor that has recently moved in our building.  We are considering (and most likely are) going to provide internet access to this person from our pipe.  At the same time we set this up, we intend on splitting off some of our servers into a DMZ.  Our new neighbor's will be supplying us with a Cisco Pix for their routing/security purposes.  I have a few questions on general routing and what can and can't be done.

The IP Space allocated to us includes a /26 and a /24 which is honestly a fairly big waste and came about as a result of our requesting a /24 from the ARIN and our ISP never deallocated the /26 despite our informing them to do so.  Ironically at this point I believe having that extra subnet will be able to help me simplify things a bit when configuring the new design (Granted even now i only need a /29 based on what i have visualized).
                                             
Our current network looks like:   ISP ATM Switch <> ISP Router <> Our Router <> Our Network

ATM switch inside and ISP router outside are connected via ethernet and routed tcp using a /30.  On the inside of the ISP Router they have configured x.x.x.193 /26 and x.x.x.1 /24.  What I'm looking to do is break the the network down to get rid of a hideously overly complex access list on our router.  What I have envisioned is the following:

                                                                     ISP Router
                                                              (x.x.x.193 /26 x.x.x.1 /24)
                                                                           |
                                         ----------------------------------------------------------- (Switch)
                                         |                                 |                                     |
                                (x.x.x.194 /29)              (x.x.x.195 /29)                   (x.x.x.196 /29)
                                   New 1811                        1721                              Their Pix
                                 (x.x.x.2 /24)               (192.168.1.1 /24)               (192.168.2.1 /24)
                                         |                                 |                                     |
                                      DMZ                        Our Network                    Their Network

The problem I see arising is that I do not think the /24 will route down to my DMZ if it is configured on the ISP router meaning that I'd need to break it so that the outside interface has a .2 /30 as a secondary and the inside interface .129 /25 and a bunch of secondarys to fill the rest of the subnet with a lot of wasted space.

Secondly, does the 1721 router need an access list at all if all internal traffic is natted (patted I guess) through the interface ip?

Or Suggest a totally different idea that is better than mine.
                               

0
Comment
Question by:caplinktech
  • 7
  • 6
  • 6
19 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16762488
You're right, you can't do that. But why do you need the secondary at all? Just put a route in the ISP router:
x.x.x.0 255.255.255.0 x.x.x.194

The primary address on the ISP router should have a mask of /29, not /26. Save the rest for other purposes.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16762515
First off the only real questions I see that you seem to be directly asking are ...

DMZ routes.... and all that needs to be done is a static route to that network pointing to the DMZ network ... guess I am at a loss you have a line and are calling it a switch.... is this a L3 switch or L2 with VLAN and trunking going on?

If it were me this is what I would do.  The 1721 will do trunking I would create a trunk on the switch and put the DMZ on one vlan your network on another and their network on a 3rd.

In that case the DMZ routes would be known because they would be a connected route to the 1721.

The second question is do I need an ACL for all addresses that are using the NAT/PAT ... your answer is yes that is the only way that you will tell the router what to NAT or not.

I would also put ACL's on the VLAN interfaces in the 1721 as to keep traffic seperated.

Thanks
Scott

PS let me know if I missed the whole point of the exersise.
0
 

Author Comment

by:caplinktech
ID: 16762828
Hi Mike,

Part of my problem is I don't have access to the ISP router, I could hack around the password, but I'd rather not get in trouble.  I did that once and I got a phone one call asking why the last modification date was different from the one in their files :-).  I'm considering just calling them and trying to get a tech on the phone at the same time I make my changes to prevent much downtime but I trying to see if I could avoid the hassle of dealing with them.  The /24 wasted ips are the ones that bother me the most, so I may just end up calling them.

Scott:

I am aware I need the standard NAT acl, but I meant in terms of "general" acl (you know the long boring permit tcp any any established type).  The fact that the traffic is natted should prevent any type of attack on the internal network.

As for the reason I'm not bothering with trunking is I felt this configuration would be much simplier and he already has the pix 501 from using it in his old building and we are implementing wireless networking for our network.  Since the 1811W will give us that capability as well as allow us to have a spare router (with some trunking and reconfig) on site, we felt it was worth the extra couple hundred bucks.   PS I kind of put the 2 routers (the 1721 and 1811 backwards in the diagram).


And Since Mike brought up the mask question, will pairing that /29 with the /26 cause a problem assuming I don't try and make this a joint effort with the ISP?  I believe the leading bits are identical on both subnets.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16762870
oh ok so ISP owned router.... if you run a router inside and route basically all internal networks to your router and then trunk you are still fine with doing this.

nat will maintain address information over multipule hops so no problems there and if you are doing NAT you are correct in stating that the ACL's are less important as no IP address are openly available on the internet.  Nat does offer some protection not enough that I would consider that my only line of defense but enough that I would not worry about every little threat that comes down the pipe as it were (-Grin-)

Thanks
Scott
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16762873
It will probably work OK since they are all within the /29. There will be some issues if the routers communicate with each other at all because they will have different broadcast addresses.  Don't try any dynamic routing between the ISP router and your own.
but if you can get the ISP to change it, so much the better. I hate how they seem to give people addressing and then make it impossible to use. In your case, YOU own the ARIN /24 and they'd better do what you want them to do with it.
0
 

Author Comment

by:caplinktech
ID: 16763205
Hi Mike,

If I get the ISP involved, can I move the x.x.x.1 ip in my internal interface or does that ip still need to be on the ISP router?

Scott,

What would you suggest would be a good ACL to apply on that router as the grin seems to indicate that you seem to have a standard one in mind.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16763339
Here is a basic example now of course you can go into great detail but this will get you started

ip access-list extended isp-access-in
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.0.31.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 208.30.64.0 0.0.7.255 any
 deny   ip 192.35.174.0 0.0.1.255 any
 deny   ip 192.35.176.0 0.0.3.255 any
 deny   icmp any any
 permit tcp any Your.ip.range 0.0.0.x established
 permit tcp any Your.ip.range 0.0.0.x established
 permit tcp any any eq (service repeated as required)
 permit udp any host (as required)
 deny   udp any any eq 1993 log
 permit tcp any any gt 1023
 permit udp any any gt 1023
 deny   ip any any log
0
 

Author Comment

by:caplinktech
ID: 16763475
Does that get applied on the inside or outside interface.  I recognize the loopback or internal network address but you have several denies for public ip ranges, are these known published problem zones or one from your personal experience or something entirely different.

Is UDP 53 not required for DNS.  I always forget how DNS works, if it 53 to 53 or random above 1023 to 53 and replies back above 1023.  Its the one service i never get right.
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 1000 total points
ID: 16763538
all good questions... I would put that on the outside interface with access-group isp-access-in in command

The reason for the private addresses is spoofing protection most useful in say a cable access or shared access infrastructure.  You are correct in stating you need udp 53 for DNS but I would only open it to one internal address that is your DNS server permit udp any host (as required) eq 53 like that provide some filtering for security also force your employee's and corprate traffic to hit a local DNS providing better optimization and tracking.

the destination port on DNS is always 53 the reply may come on any port and out is not the problem it is inbound that you have here so that is the issue.

Thanks
scott
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16763625
>If I get the ISP involved, can I move the x.x.x.1 ip in my internal interface or does that ip still need to be on the ISP router?
  Definitely move it to your inside router. It doesn't need to be on their router at all-- just a route pointing to your router.

Regarding DNS, the destination is always UDP 53, but the source could be either 53 or >1023, depending on the version and how it was configured. If you have your own DNS server then you also need to allow TCP 53 though, because occasionally BIND will use it for queries and the RFC requires it for that. TCP queries will always be sourced from >1023. But TCP 53 is also used for zone transfers. If your DNS server gets queried from outside, you can configure the server not to respond to zone transfer requests if you want to. If your DNS server is never queried from outside, just allow
permit udp any eq 53 host [your dns server]
permit tcp any eq 53 host [your dns server] gt 1023

If you don't have a DNS server (everyone talks to the ISP's DNS server) then you don't need the TCP part:
permit udp any eq 53 any
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16763666
By the way, I didn't know about the requirement for TCP 53 until recently. I always only allowed UDP 53. Then I posted a question on the BIND users group and I was lambasted for not allowing TCP 53 through our firewall. The idea is to allow TCP 53 and then tell the server who can request zone transfers.
0
 

Author Comment

by:caplinktech
ID: 16764204
Half my problem with this stuff is I don't do it enough anymore to trust myself, so another petty question.

If I get the ISP involved, and have the /26 changed to /29 on the ISP router, I can then also have the remaining subnets routed from the ISP router down to .194.  Assign those subnets to subinterfaces on the .194 router, VLAN and trunk it up and I should be good to go there as well correct?

Now only if I had an actual use for those extra ips....
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16764231
as long as you have a static from the ISP yes you could technically use private addresses as it is a transit network anyway but not a good practice.

Thanks
Scott
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16764390
They just need to have routes pointing to the routers where it will be used. For the /26, same thing. The easiest thing would be if you had some sort of layer 3 inbetween their router and yours. Can your switch do any layer 3? Then you could let them just have static routes for the /26 and /24 pointing to the switch, and the device you control can be more specific.
0
 

Author Comment

by:caplinktech
ID: 16764479
No it is a Cisco 2950 layer 2 switch.  but now that you mention that, what I may do is take Scott's original idea and create VLans and a trunk for the DMZ and internal network and throw the 1760 in front of the 1811W to due exactly what you mention.

Which brings up my next curiousity only question, is there anything a router can do that a Layer 3 switch can't?

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16764539
Depends ..... there are a few things I have ran into ... GRE tunnel's they say they will do them but sometimes they are flaky also with routing protocols sometimes you run into issues... and of course the obvious on lower end switches terminate WAN connections LOL.  I love the cisco 3750's with the EMI code they rock.  If you just routing between lan segments a router will never touch a L3 switch.  Multicast will kick the snot out of a router were a switch will just handle it.... kind of like the expression use the right tool for the job.  hi level traffic lan goes on a switch.  Routers tend to do accounting and security better than switches that I have used in a general sense if you exlude the CAT6500 and ones like that which are more like a multi port router switch combined.

Thanks
Scott
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 1000 total points
ID: 16764998
I pretty much agree. A lower-end layer 3 switch will do what a router is designed to do, but not as well. But it will move packets between ports faster.

Put your router on the OUTSIDE of the switch so you have a point-to-point link with their router and
1. have the ISP remove the /24 from their interface
2. have the ISP change the mask on the /26 to /30. If you can, get them to just use private addressing or a separate /30 between their router and yours and get rid of the public ones completely! If you have to use a /30 out of your addressing, that's OK too.
3. have the ISP put static routes on their router pointing at your router for both the /26 and the /24.

Now you can manage your public addressing however you want without involving them anymore.
0
 

Author Comment

by:caplinktech
ID: 16772747
Hi Mike,

Agreed and done last night with less of a headache from the ISP than expected including getting the /30.

Now, I am running into a weird issue with the Pix.  If you think I should open a new topic I will, but will ask here anyway.

For the pix I reset the config to factory defaults.  Enabled both interfaces, assigned ips to both interfaces.

Put a default route on the unit route outside 0.0.0.0 0.0.0.0 1

It pngs everything outside the network perfectly fine, however when attempting to ping from the internal interface I get nothing.  I'm not as familiar with the Pix CLI as I am with IOS but I established nat with:

global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0

still I can ping everything outside, but if I do a ping inside x.x.x.193 (<- next hop router, mine) I get nothing.  The inside network can ping the pix but for some reason the pix won't pass the traffic from the inside to the outside.

Any clues?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16772888
I would open a new question. You're now dealing with a PIX problem which is entirely different from the original question. I haven't done NAT on PIX so someone else may be able to help you better/faster.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question